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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims 

Claim 1 (currently amended): A method of providing from a centralized location access 
control to a resource for one or more users, said method comprising: 

receiving at the centralized location an authorization request from a first entity to issue 
authorization data for the one or more users based on roles associated with the users as part of an 
organization model , wherein said authorization data is required by a second entity for allowing 
the first entity to access a resource controlled by the second entity; 

responsive to the received authorization request, issuing the authorization data from the 
centralized location to the first entity, wherein the first entity provides the issued authorization 
data to the second entity, said authorization data including an expression identifying the resource 
by a resource name and by at least one property associated with the resource to conditionally 
define access to the resource, said authorization data further including validation information; 

receiving at the centralized location a validation request from the second entity to 
validate the issued authorization data that was provided to the second entity by the first entity; 
and 

responsive to the received validation request, validating the issued authorization data 
based on the validation information included therein; 

sending from the centralized location a response to the second entity indicating a 
determined validation status responsive to said validating the issued authorization data . 

Claim 2 (canceled). 
Claim 3 (canceled). 

Claim 4 (previously presented): The method of claim 1, wherein receiving the requests 
and issuing the authorization data occur over a secure sockets layer. 
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Claim 5 (previously presented): The method of claim 1, wherein receiving the requests 
and issuing the authorization data occur over a network such as the Internet. 

Claim 6 (previously presented): The method of claim 1, further comprising creating the 
expression identifying the resource in response to the received authorization request. 

Claim 7 (previously presented): The method of claim 6, further comprising encrypting 
the created expression. 

Claim 8 (canceled). 

Claim 9 (canceled). 

Claim 10 (original): The method of claim 1, wherein one or more computer-readable 
media have computer-executable instructions for performing the method of claim 1 . 

Claim 1 1 (currently amended): A method for validating at a centralized location 
authorization data to provide access to a resource for one or more users, said method comprising: 

receiving at the centralized location an authorization request from a client to issue 
authorization data for the one or more users based on roles associated with the users, wherein 
said authorization data is required by an affiliate server for allowing the client to access a 
resource controlled by said affiliate server; 

responsive to the received authorization request, generating at the centralized location an 
authorization token having a header field, a source field, and a claim field, said header field 
representing validation information, said source field representing the identity of the user, said 
claim field specifying the resource conditionally, said claim field including an expression 
identifying the resource by a resource name and by at least one property associated with the 
resource to conditionally define access to the resource; 

sending the authorization token from the centralized location to the client, wherein the 
client provides the authorization token to the affiliate server; 
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receiving at the centralized location over a secure sockets layer a validation request from 
the affiliate server to validate the authorization token, said receiving the validation request 
comprises receiving a data packet according to the Simple Object Access Protocol (SOAP), and 
further comprising extracting the authorization token from the received data packe t whoroin said 
validation request includes the authorization token ; 

retrieving validation information from the header field of the received authorization 

token; 

evaluating the retrieved validation information to determine a validation status of the 
received authorization token; and 

sending from the centralized location a response to the affiliate server indicating [[the]] a 
determined validation status responsive to said evaluating the retrieved validation information. 

Claim 12 (original): The method of claim 1 1 , further comprising evaluating the 
expression to identify the resource. 

Claim 13 (previously presented): The method of claim 12, wherein evaluating the 
expression comprises extracting a target scope from the received authorization token, said 
extracted target scope identifying the resource. 

Claim 14 (canceled). 

Claim 15 (canceled). 

Claim 16 (previously presented): The method of claim 11, wherein receiving the 
validation request including the authorization token occurs over a network such as the Internet. 

Claim 17 (previously presented): The method of claim 11, further comprising decrypting 
the received authorization token. 

Claim 18 (canceled). 



4 



MS#304548.01 (5096) 



Claim 19 (previously presented): The method of claim 11, wherein retrieving the 
validation information comprises retrieving a signature from the header of the received 
authorization token. 

Claim 20 (previously presented): The method of claim 19, wherein evaluating the 
retrieved validation information comprises determining that the retrieved signature is invalid, and 
wherein sending the response comprises sending a response indicating the invalidity of the 
received authorization token. 

Claim 21 (previously presented): The method of claim 1 1 , wherein retrieving the 
validation information comprises retrieving an expiration date from the header of the received 
authorization token, and wherein evaluating the retrieved validation information comprises 
comparing the retrieved expiration date to a current time stamp to determine if the received 
authorization token has expired. 

Claim 22 (previously presented): The method of claim 21, wherein the received 
authorization token has been determined to be expired, and further comprising sending a 
response indicating the invalidity of the received authorization token. 

Claim 23 (original): The method of claim 11, wherein one or more computer-readable 
media have computer-executable instructions for performing the method recited in claim 1 1 . 

Claim 24 (currently amended): One or more computer-readable media having computer- 
executable components to control access to a resource by one or more users from a centralized 
location , said components comprising: 

an interface component adapted to receive at the centralized location an authorization 
request from a first entity to issue authorization data for the one or more users based on roles 
associated with the users, wherein said authorization data is required by a second entity for 
allowing the client to access a resource controlled by said second entity; 

an authorization component adapted to issue at the centralized location the requested 
authorization data for the users based on the roles associated with the users, said authorization 
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data including an expression identifying a resource by a resource name and by a property 
associated with the resource and said authorization data including the validation information, 
wherein said interface component is further adapted to receive a validation request from the 
second entity, said validation request including the authorization data; 

a parser component adapted to retrieve validation information from the received 
authorization data; and 

a validation component adapted to evaluate the retrieved validation information, wherein 
the interface component is further adapted to send a response from the centralized location to the 
second entity indicating [[the]] a validation status of the received authorization data responsive 
to said evaluating the retrieved validation information. 

Claim 25 (canceled). 

Claim 26 (canceled). 

Claim 27 (original): The computer-readable media of claim 24, further comprising a 
scope component to evaluate the expression to identify the resource. 

Claim 28 (currently amended): An authorization system in a centralized location 
comprising: 

a memory area accessible from the centralized location for storing authorization data for 
use in providing a first entity access to a resource that is controlled by a second entity, said 
authorization data including an expression identifying the resource by a resource name and by at 
least one property associated with the resource; and 

a processor configured to execute computer-executable instructions for issuing from the 
centralized location , responsive to a request from the first entity, the authorization data for a user 
based on a role associated with the user and for validating, in response to a request from the 
second entity, the authorization data to provide access to the resource. 

Claim 29 (canceled). 
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Claim 30 (original): The system of claim 28, wherein the processor is further configured 
to execute computer-executable instructions for evaluating the expression to identify the 
resource. 

Claim 3 1 (original): The system of claim 28, wherein the authorization data comprises a 

token. 

Claim 32 (canceled). 
Claim 33 (canceled). 
Claim 34 (canceled). 
Claim 35 (canceled). 

Claim 36 (previously presented): The method of claim 1, wherein the first entity is an 
application program. 

Claim 37 (previously presented): The method of claim 1 , wherein the first entity is a 
computing device. 

Claim 38 (previously presented): The method of claim 1, further comprising generating a 
signature based on the expression identifying the resource, and wherein the validation 
information includes said generated signature. 

Claim 39 (previously presented): The method of claim 1 wherein the validation 
information includes an expiration date. 

Claim 40 (previously presented): The method of claim 1, wherein the validation 
information further includes a site identifier identifying the first entity. 
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Claim 41 (previously presented): The method of claim 1 wherein said validation request 
includes the issued authorization data and wherein said validating includes: 

retrieving the validation information from the received authorization data; 
evaluating the retrieved validation information; and 

sending a response to the second entity indicating the validation status of the received 
authorization data responsive to said evaluating the retrieved validation information. 



